Patch lists ranked by CVSS score don’t reflect what’s actually being attacked. Real-world exploitation telemetry, CISA KEV additions, Shadowserver scan data, and the early-stage TTPs we’ve reviewed across ransomware initial-access cases, paints a much narrower picture. Most of Q1 2026’s intrusions traced back to a small handful of vulnerabilities, several of them disclosed before 2024. The order of operations matters more than the score on the page.
Here’s the priority list based on what we’ve watched land this quarter, with the patching guidance for each.
1. Edge VPN appliances, Ivanti, Citrix, Fortinet
If you operate any internet-facing VPN concentrator from Ivanti, Citrix, or Fortinet, this is your first stop. The Ivanti Connect Secure and Policy Secure chains disclosed across 2024-2025, the Citrix NetScaler bugs, and Fortinet’s FortiOS SSL-VPN issues continue to be the leading initial-access path for at least three named ransomware affiliates. Several of these CVEs are exploitable pre-authentication and yield a foothold inside the perimeter immediately.
Patching guidance: pull every appliance to the latest vendor-recommended firmware, then assume compromise on anything not patched within seventy-two hours of disclosure. Check for web-shell artefacts and rotate the credentials used by the VPN appliance to reach internal directories.
2. Microsoft Outlook and Exchange, RCE chains
Outlook NTLM-relay and Exchange ProxyLogon-style chains keep resurfacing because organisations either run unpatched on-prem Exchange or sit on hybrid configurations where the on-prem half is forgotten. Several of the Q1 2026 intrusions we’ve reviewed traced back to a fully unpatched on-prem Exchange server that the IT team thought was decommissioned but was still answering on a public IP.
Patching guidance: inventory every Exchange and Outlook surface exposed to the public internet. If you cannot patch within the SLA window, the only acceptable answer is to take the surface down. There’s no middle path here.
3. Confluence, Jira, and self-hosted DevOps surfaces
Atlassian Confluence has been on the exploited-CVE list for so long that it’s become a punchline, but the data shows attackers haven’t moved on because organisations haven’t either. The same is true for self-hosted Jenkins, GitLab CE, and TeamCity instances. These tools sit deep enough in the developer workflow that they often hold credentials, source code, and CI/CD secrets, the perfect mid-stage pivot for ransomware operators.
Patching guidance: assume any internet-facing collaboration or build server is being scanned constantly. Move them behind SSO and a VPN at minimum. Patch on every disclosure within seven days.
4. SonicWall, ConnectWise, and remote-management software
SonicWall SSL-VPN flaws and the ConnectWise ScreenConnect chain from early 2024 remain in active use because attackers know MSPs use these tools to manage hundreds of downstream clients at once. One unpatched ScreenConnect instance is one path into every customer the MSP serves. The Q1 2026 intrusions we’ve seen here lean heavily on that fan-out.
Patching guidance: if you run an MSP or use one, this is a contractual conversation. Demand evidence of patch SLAs and segmentation between clients in the management plane.
5. Web-application stacks, WordPress plugins, ColdFusion, PHP CMS
Plugin vulnerabilities don’t get the headlines, but in raw exploitation volume they dominate. WordPress with two outdated paid plugins is a more common entry point than most enterprise people realise. Adobe ColdFusion remains a perennial target for organisations that quietly still run it. Drupal, Joomla, and Magento installs hit the same pattern.
Patching guidance: turn on automatic plugin updates where the platform supports them. Where it doesn’t, patch on a fixed weekly cadence rather than per-disclosure, fewer skipped weeks that way.
The order matters
Patching everything is the goal. Patching in the right order is what closes the door before someone walks in. Start with internet-facing edge appliances. Move to email and collaboration. Then DevOps. Then the application layer. Inside-the-perimeter Windows patches matter, but they’re not what’s getting people popped this quarter.
If you do nothing else this week, sit down with your asset inventory and confirm two things: every public-IP-bearing appliance is on the latest firmware, and you have a list of who you’ll call at three in the morning if one of them is found compromised. Those two artefacts are worth more than any threat-intel feed.